diff --git a/VERSION.txt b/VERSION.txt index e2ba070499dfb..cdb8aa019ba7a 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.37.5 +1.37.6-dev diff --git a/changelogs/current/PLACEHOLDER.txt b/changelogs/current/PLACEHOLDER similarity index 100% rename from changelogs/current/PLACEHOLDER.txt rename to changelogs/current/PLACEHOLDER diff --git a/changelogs/current/behavior_changes/build__disable_dlb.rst b/changelogs/current/behavior_changes/build__disable_dlb.rst deleted file mode 100644 index 484fd717fb352..0000000000000 --- a/changelogs/current/behavior_changes/build__disable_dlb.rst +++ /dev/null @@ -1,5 +0,0 @@ -The contrib extension ``envoy.network.connection_balance.dlb`` (Intel DLB -connection balancer) has been disabled at the Bazel layer for all builds and -platforms due to a breakage at the source archive. - -See https://github.com/envoyproxy/envoy/issues/45491 for local workarounds. diff --git a/changelogs/current/bug_fixes/dns_filter__fixed-abort-on-long-name.rst b/changelogs/current/bug_fixes/dns_filter__fixed-abort-on-long-name.rst deleted file mode 100644 index a387367d9f4fa..0000000000000 --- a/changelogs/current/bug_fixes/dns_filter__fixed-abort-on-long-name.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix `CVE-2026-48497 `_ - -Fix sanity checking of the query name length to avoid abnormal process termination. Use ``ENVOY_BUG`` -in case sanity check fails. diff --git a/changelogs/current/bug_fixes/ext_authz__fixed-a-use-after-free-crash-in-the.rst b/changelogs/current/bug_fixes/ext_authz__fixed-a-use-after-free-crash-in-the.rst deleted file mode 100644 index 2d172861a5cfa..0000000000000 --- a/changelogs/current/bug_fixes/ext_authz__fixed-a-use-after-free-crash-in-the.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix: `CVE-2026-47205 `_ - -Fixed a use-after-free crash in the ext_authz filter when per-route service overrides are active -and the downstream connection resets during an in-flight authorization check. diff --git a/changelogs/current/bug_fixes/ext_proc__fixed-a-bug-when-the-ext-proc-server.rst b/changelogs/current/bug_fixes/ext_proc__fixed-a-bug-when-the-ext-proc-server.rst deleted file mode 100644 index 8ea9ea69a93a4..0000000000000 --- a/changelogs/current/bug_fixes/ext_proc__fixed-a-bug-when-the-ext-proc-server.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix: `CVE-2026-47207 `_ - -Fixed a bug when the ext_proc server sends packed unexpected ProcessingResponses to Envoy. diff --git a/changelogs/current/bug_fixes/formatter__fixed-a-crash-bug-in-the-requested.rst b/changelogs/current/bug_fixes/formatter__fixed-a-crash-bug-in-the-requested.rst deleted file mode 100644 index 24978185db35b..0000000000000 --- a/changelogs/current/bug_fixes/formatter__fixed-a-crash-bug-in-the-requested.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix: `CVE-2026-47220 `_ - -Fixed a crash bug in the ``%REQUESTED_SERVER_NAME%`` formatter where the host or original host is not set -correctly but the formatter is configured to access the host value. diff --git a/changelogs/current/bug_fixes/grpc_stats__fixed-a-crash-or-use-after-free-when.rst b/changelogs/current/bug_fixes/grpc_stats__fixed-a-crash-or-use-after-free-when.rst deleted file mode 100644 index 240aa02a19102..0000000000000 --- a/changelogs/current/bug_fixes/grpc_stats__fixed-a-crash-or-use-after-free-when.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix: `CVE-2026-47204 `_ - -Fixed a crash or use-after-free when gRPC stats filter performs stat tracking on a direct response route. diff --git a/changelogs/current/bug_fixes/json__limit-json-depth.rst b/changelogs/current/bug_fixes/json__limit-json-depth.rst deleted file mode 100644 index 8e91747fd5272..0000000000000 --- a/changelogs/current/bug_fixes/json__limit-json-depth.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix: `CVE-2026-48042 `_ - -Limit JSON nesting depth at 1000. The limit could be relaxed to 10K by setting the -``envoy.reloadable_features.limit_json_parser_nesting_depth`` to ``false``. diff --git a/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-filter-may-access.rst b/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-filter-may-access.rst deleted file mode 100644 index 959c59bb268aa..0000000000000 --- a/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-filter-may-access.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fixed a bug where the asyncronous token change callback could be triggered after the filter had been -torn down (``onDestroy()`` had been called), which could lead to access dangling pointers and result -in UAF/crash. diff --git a/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-the-attacker-could.rst b/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-the-attacker-could.rst deleted file mode 100644 index d4226345c58ed..0000000000000 --- a/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-the-attacker-could.rst +++ /dev/null @@ -1,37 +0,0 @@ -Fix: `CVE-2026-47775 `_ - -Addressed a padding oracle in the OAuth2 filter's AES-256-CBC cookie decryption. The filter -now supports AES-256-GCM encryption with a ``gcm.`` algorithm marker, which authenticates the -ciphertext and removes the oracle. - -**The fix is opt-in to keep rolling upgrades safe.** On upgrade, the default behaviour is -unchanged: cookies are still encrypted with AES-256-CBC and the CBC decrypt path is still -reachable, so existing sessions and mixed-version clusters keep working. Two runtime flags -control the migration: - -* ``envoy.reloadable_features.oauth2_use_gcm_encryption`` (default ``false``) — when set to - ``true``, ``encrypt()`` produces AES-256-GCM ciphertexts prefixed with ``gcm.``. While - ``false`` (the default), ``encrypt()`` continues to emit AES-256-CBC ciphertexts with no - prefix, wire-compatible with older instances. -* ``envoy.reloadable_features.oauth2_legacy_cbc_decrypt_compat`` (default ``true``) — when - ``true``, ``decrypt()`` accepts both ``gcm.``-prefixed cookies (via GCM) and legacy - cookies (via the legacy CBC fallback). When set to ``false``, only ``gcm.``-prefixed - cookies decrypt, legacy CBC cookies are rejected and the affected users are redirected - to the OAuth server to re-authenticate. While the CBC fallback is reachable, it partially - reopens CVE-2026-47775. - -You should set ``envoy.reloadable_features.oauth2_use_gcm_encryption`` to ``true`` once -you have ensured that all instances in your cluster are capable of decrypting GCM-encrypted cookies. -And then, you could set ``envoy.reloadable_features.oauth2_legacy_cbc_decrypt_compat`` to ``false`` -to disable the legacy CBC decryption path at appropriate time. - -**Never set ``envoy.reloadable_features.oauth2_legacy_cbc_decrypt_compat`` to ``false`` -before you have enabled ``envoy.reloadable_features.oauth2_use_gcm_encryption``.** - -Both flags and the AES-256-CBC code paths are scheduled for removal once the migration -window has elapsed. - -The OAuth2 filter exposes a new counter ``oauth_legacy_cbc_decrypt`` that increments each -time a cookie is successfully decrypted via the legacy CBC fallback. Operators should watch -this stat decay to zero across the migration window before flipping -``oauth2_legacy_cbc_decrypt_compat`` to ``false``. diff --git a/changelogs/current/bug_fixes/proxy_protocol__fixed-a-bug-where-passthrough-tlvs.rst b/changelogs/current/bug_fixes/proxy_protocol__fixed-a-bug-where-passthrough-tlvs.rst deleted file mode 100644 index d79ffb23d3aef..0000000000000 --- a/changelogs/current/bug_fixes/proxy_protocol__fixed-a-bug-where-passthrough-tlvs.rst +++ /dev/null @@ -1,7 +0,0 @@ -Fix: `CVE-2026-47692 `_ - -Fixed a bug where passthrough TLVs combined with added TLVs could exceed the maximum length, -resulting in a mismatch between the size reported in the header and the number of bytes written. -This could allow a smuggled request from the host writing the PROXY protocol header to the upstream -host. This behavioral change can be reverted by setting the runtime guard -``envoy.reloadable_features.proxy_protocol_remove_too_long_tlvs`` to ``false``. diff --git a/changelogs/current/bug_fixes/quic__dos-qpack.rst b/changelogs/current/bug_fixes/quic__dos-qpack.rst deleted file mode 100644 index 80f527284c1ee..0000000000000 --- a/changelogs/current/bug_fixes/quic__dos-qpack.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix: `GHSA-p7c7-7c47-pwch `_ - -Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding. diff --git a/changelogs/current/bug_fixes/quic__validate-http3-headers-only.rst b/changelogs/current/bug_fixes/quic__validate-http3-headers-only.rst deleted file mode 100644 index 44e77802dab6f..0000000000000 --- a/changelogs/current/bug_fixes/quic__validate-http3-headers-only.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix: `CVE-2026-48743 `_. - -Validate HTTP/3 headers-only request and response content-length, and reset stream if inconsistent. - -The change is guarded by runtime guard ``envoy.reloadable_features.quic_validate_headers_only_content_length``. diff --git a/changelogs/current/bug_fixes/router__fixed-an-issue-when-handling-http-303.rst b/changelogs/current/bug_fixes/router__fixed-an-issue-when-handling-http-303.rst deleted file mode 100644 index c630ff5a7685a..0000000000000 --- a/changelogs/current/bug_fixes/router__fixed-an-issue-when-handling-http-303.rst +++ /dev/null @@ -1,4 +0,0 @@ -Fix: `CVE-2026-47221 `_ - -Fixed an issue when handling HTTP 303 internal redirects for body-less requests. The redirect handling -code attempted to drain a request body buffer that was never allocated, causing a segmentation fault. diff --git a/changelogs/current/bug_fixes/tcp_statsd_sync__fix_buffer_overflow_with_large_name.rst b/changelogs/current/bug_fixes/tcp_statsd_sync__fix_buffer_overflow_with_large_name.rst deleted file mode 100644 index d6458b6ca5e72..0000000000000 --- a/changelogs/current/bug_fixes/tcp_statsd_sync__fix_buffer_overflow_with_large_name.rst +++ /dev/null @@ -1,3 +0,0 @@ -Fix: `CVE-2026-48706 `_ - -Fixed a TcpStatsdSync buffer overflow issue with large stats name. diff --git a/changelogs/current/bug_fixes/tls__envoy-fails-to-validate-san.rst b/changelogs/current/bug_fixes/tls__envoy-fails-to-validate-san.rst deleted file mode 100644 index f0f3892d9d928..0000000000000 --- a/changelogs/current/bug_fixes/tls__envoy-fails-to-validate-san.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix: [CVE-2026-47778](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7) - -Fixes an issue where Envoy could fail to validate the Subject Alternative Name (SAN) of a peer -certificate if the SAN contained an embedded NUL byte. Previously, the SAN parsing was vulnerable -to NUL byte truncation in some configurations, potentially leading to incorrect trust decisions. diff --git a/changelogs/current/bug_fixes/wasm__resolve_cve.rst b/changelogs/current/bug_fixes/wasm__resolve_cve.rst deleted file mode 100644 index a30fefed31992..0000000000000 --- a/changelogs/current/bug_fixes/wasm__resolve_cve.rst +++ /dev/null @@ -1 +0,0 @@ -Bump ``com_github_wasmtime`` to resolve CVE-2026-47261. diff --git a/changelogs/current/bug_fixes/zstd__fixed-memory-exhaustion-vulnerability-in-zstd-decompressor.rst b/changelogs/current/bug_fixes/zstd__fixed-memory-exhaustion-vulnerability-in-zstd-decompressor.rst deleted file mode 100644 index d0faf3a5fc450..0000000000000 --- a/changelogs/current/bug_fixes/zstd__fixed-memory-exhaustion-vulnerability-in-zstd-decompressor.rst +++ /dev/null @@ -1,7 +0,0 @@ -Fix: `CVE-2026-48044 `_ - -Fixed a memory exhaustion vulnerability in the Zstd decompressor where the ``MaxInflateRatio`` -limit was only checked after each input slice was fully processed, allowing a maliciously crafted -compressed payload to expand to hundreds of MB within a single ``process()`` call. The inflate -ratio limit is now enforced inside the inner decompression loop, matching the gzip and brotli -decompressors and aborting decompression as soon as the threshold is breached. diff --git a/changelogs/summary.md b/changelogs/summary.md index a732390aa3b17..e69de29bb2d1d 100644 --- a/changelogs/summary.md +++ b/changelogs/summary.md @@ -1,24 +0,0 @@ -**Summary of changes**: - -* Security fixes: - - [CVE-2026-47205](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j):Authz per route crash - - [CVE-2026-47207](https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv): ext_proc response in one gRPC message - - [CVE-2026-47221](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr): router internal redirects crash - - [CVE-2026-47220](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v): REQUESTED_SERVER_NAME crash - - [CVE-2026-47775](https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p): OAuth2 code verifier padding oracle - - [CVE-2026-48044](https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg): zstd RLE zip bomb - - [CVE-2026-47204](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6): grpc_stats filter segfault on Connect protocol requests to direct_response routes - - [CVE-2026-47692](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r): PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream - - [CVE-2026-47778](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7): Embedded NUL in TLS SAN Truncation, Auth Bypass - - [CVE-2026-48042](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv): Stack overflow in destructor of highly nested JSON - - [CVE-2026-48090](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f): OAuth2 filter late async token completion after stream teardown results in UAF/crash risk - - [CVE-2026-48497](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q): Abnormal process termination in DNS UDP filter - - [CVE-2026-48743](https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf): HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length - - [CVE-2026-48706](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4): Envoy Heap Buffer Overflow in TcpStatsdSink - - [GHSA-p7c7-7c47-pwch](https://github.com/envoyproxy/envoy/security/advisories/GHSA-p7c7-7c47-pwch): Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding - -* Upstream security fixes: - - CVE-2026-47261: wasm: bumped ``com_github_wasmtime`` to resolve CVE-2026-47261. - -* Behavior changes: - - build: disabled the contrib extension ``envoy.network.connection_balance.dlb`` (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See https://github.com/envoyproxy/envoy/issues/45491 for local workarounds.